-
In an effort to improve the security of consumers, the payment card industry (commonly referred to as PCI) established standards that anyone receiving credit or debit card payments should follow. These standards were created by major credit card companies and financial institutions to protect the cardholder's payment data. The standards are referred to as payment card industry data security standards (PCI DSS).
The standards are not federal laws. Rather, they cannot be enforced unless the credit card company or financial institution in which the card is distributed from and the retailer accepting that particular credit/debit card payments are in agreement about the standards. - On May 21, 2007, Minnesota became the first state to support the PCI standards. Gov. Timothy Pawlenty signed an act that would forever change the way that Minnesota debit and credit card transactions are handled. The Minnesota Senate and House of Representatives also found the movement to be necessary. The law passed in the Senate with a 63-1 vote and in the House by a 122-4 vote.
- In Chapter 108, Section 1 of Minnesota Law, the Plastic Card Security Act is defined. Referenced as 325E.64 "Access Devices; Breach of Security," this legal reference clearly defines the components of the act, the parties that could potentially be involved in any transactions affected by the Plastic Card Security Act, how transactions should be handled, who is responsible if there are violations of the law and what those penalties are.
- The Plastic Card Security Act states that a person or business that allows a person to pay for a good or service using a card with a magnetic strip on the back of the card (in most cases a debit or credit card) is not allowed to store information about that card for more than 48 hours. The information taken from the card could contain the PIN the customer used to approve the transaction, the security code on the back of the card or a plethora of information gathered from the magnetic strip on the back of the card.
-
The Minnesota law that passed the Plastic Security Act states that the person or business that accepts the debit or credit card transaction is also the party responsible if information is stolen if that information is saved longer than the 48 hours allowed for the transaction to be received. Simply put, violating this law will make any business or person that does not secure the customer's information, completely responsible for any wrongdoing that is done to the customer.
It is then the responsibility of that person or business to correct the wrongdoing to the customer. This correction could come in the form of financially covering any transactions illegally done due to the customer's information being stolen by another party. -
This law is not popular in the business community. Some businesses believe that the law will wrongfully make them accountable for illegal activity that is not there doing. If a third party steals information from the business, the business is also a victim. Businesses feel that they should not be responsible for actions made by another party when that other party should be held accountable.
The law clearly states that the information should not be held in any system for more than 48 hours following the transaction. Advocates for the law argue that if the information was never held in the business' possession, the customer's information would never have been stolen.
